Field Guides · Before · wire-fraud

Wire fraud controls

Wire fraud is rarely a technology failure. It is a trust-routing failure inside an organisation. The controls below are for finance, IT, and the executives who keep accidentally being the weakest link.

Quarterly resilience review

Most wire fraud succeeds because normal process breaks under pressure. The fraud is not in the email. It is in the moment a finance controller decides that “this once” the callback can be skipped because the request is from the CFO and the deadline is real and the supplier is known and the amount is on the edge of the threshold and the controller is in a meeting and the answer feels obvious.

The defence is not better-trained users. The defence is a process that does not bend when an executive pushes, when a deadline shortens, when a thread looks legitimate, when the supplier’s email account is the one sending the new bank details. A rushed process is an exposed process. Every bypass attempt, every exception, every “just this time” is the attacker’s product working.

Modern operations are not 2019 BEC. The attacker is increasingly sitting inside a real compromised mailbox, for weeks, reading the thread before they alter it. They impersonate over Teams and WhatsApp. They use deepfake voice. They wait for travel. They learn the supplier’s writing style. The technical surface is wider than the inbox.

Wire fraud is rarely a technology failure first. It is a trust-routing failure inside an organisation. Run this review quarterly. Walk it with finance and at least one executive in the room. Controls without ownership fail under pressure. If nobody owns the validation process, attackers eventually will.

Any unchecked critical item is an accepted operational risk. Make sure someone senior is consciously accepting it, by name, in writing.

Checklist

0/390/21 critical

Verification before money moves

Out-of-band callback to a known number is mandatory above a written thresholdCriticalNot the number in the email. The number from your records.
Callback verification is never an email reply or a reply in the same threadCritical
Two-person approval required for new payee or changed bank detailsCritical
New payees have a cooling-off period before the first payment
Finance team checks payee against known-bad list and recent fraud reports
A named person owns the validation process and has authority to stop a paymentCriticalControls without ownership fail under pressure.

Mailbox and identity compromise

DMARC at p=reject for finance-relevant domainsCritical
Lookalike domain monitoring is active and reviewed weekly
External-sender banner visible on every inbound message
Alerts fire on creation of any new inbox-forwarding ruleCritical
External auto-forwarding is blocked at the tenant levelCriticalAllow on exception only, with audit and review.
Impossible-travel and anomalous-sign-in alerts active on finance and exec accountsCritical
OAuth app grants and consent policies reviewed quarterlyCriticalA compromised meeting-notes or mail app can create forwarding rules without touching the password.
Phishing-resistant MFA (hardware key or passkey) on every finance and exec accountCritical
Third-party meeting and note-taking apps inventoried and reviewed for inbox scope

Supplier trust chain

Bank-detail changes are validated outside the existing email threadCriticalThe attacker is usually already in the thread. Verifying inside it confirms them.
Supplier changes require contact via a number or address you held before the change requestCritical
Finance team is trained on invoice-chain hijack patterns (real supplier, real thread, swapped details)Critical
Supplier portals have MFA and change-of-bank-detail audit trails
Vendor bank-detail changes only accepted through a single documented channel
Supplier compromise indicators are shared between supplier and customer security teamsMaturity

Collaboration channels and executive contact

Financial approvals are prohibited over chat-only channels (Teams, Slack, WhatsApp, SMS)CriticalA chat message is not authorisation. The channel can be impersonated or hijacked.
Executive urgent-payment requests require out-of-band verification through a pre-agreed channelCritical
Finance team is trained to recognise Teams, Slack, WhatsApp, and SMS impersonation patternsCritical
Executive travel is treated as elevated fraud risk and flagged to finance
Procedure exists for verifying an unknown number that claims to be an executive
Position is decided in advance on voice and video deepfake exec requestsMaturity

Executive failure modes

Executive instruction does not bypass the verification processCriticalWritten down. Signed by the executive. Posted in finance.
Seniority does not override payment validationCritical
Executives are briefed that verification friction is the control working, not a service failureCritical
Executives have walked a wire-fraud scenario this year, not just read the policyCritical
Attempts to bypass the validation process are logged and reviewed
Elevated controls apply automatically when an executive is travelling

Process resilience

Finance team is trained that urgency is a fraud signal, not a service signalCriticalA rushed process is an exposed process.
Finance team runs a wire-fraud tabletop quarterly
Finance team knows how to reach legal, IT, and the bank in that order
Anomaly monitoring on payment volume, payee newness, and timingMaturity
Vendor risk register notes which counterparties have had prior compromise indicatorsMaturity
Large payments require confirmation through two independent channels

Accepted operational risks

21 of 21 critical items unchecked.

Every unchecked critical item is an accepted operational risk. Make sure someone senior is consciously accepting it.

Out-of-band callback to a known number is mandatory above a written thresholdVerification before money moves
Callback verification is never an email reply or a reply in the same threadVerification before money moves
Two-person approval required for new payee or changed bank detailsVerification before money moves
A named person owns the validation process and has authority to stop a paymentVerification before money moves
DMARC at p=reject for finance-relevant domainsMailbox and identity compromise
Alerts fire on creation of any new inbox-forwarding ruleMailbox and identity compromise
External auto-forwarding is blocked at the tenant levelMailbox and identity compromise
Impossible-travel and anomalous-sign-in alerts active on finance and exec accountsMailbox and identity compromise
OAuth app grants and consent policies reviewed quarterlyMailbox and identity compromise
Phishing-resistant MFA (hardware key or passkey) on every finance and exec accountMailbox and identity compromise
Bank-detail changes are validated outside the existing email threadSupplier trust chain
Supplier changes require contact via a number or address you held before the change requestSupplier trust chain
Finance team is trained on invoice-chain hijack patterns (real supplier, real thread, swapped details)Supplier trust chain
Financial approvals are prohibited over chat-only channels (Teams, Slack, WhatsApp, SMS)Collaboration channels and executive contact
Executive urgent-payment requests require out-of-band verification through a pre-agreed channelCollaboration channels and executive contact
Finance team is trained to recognise Teams, Slack, WhatsApp, and SMS impersonation patternsCollaboration channels and executive contact
Executive instruction does not bypass the verification processExecutive failure modes
Seniority does not override payment validationExecutive failure modes
Executives are briefed that verification friction is the control working, not a service failureExecutive failure modes
Executives have walked a wire-fraud scenario this year, not just read the policyExecutive failure modes
Finance team is trained that urgency is a fraud signal, not a service signalProcess resilience